Configure IKE2 site to site vpn between cisco router and fortigate
Dears;
I have FG 100D and i need to create a IPSec site to site using IKEV2 , FG has a static IP but Cisco router has a dynamic IP.
IS this configuration achievable?
Regards;
Mohammed
I have FG 100D and i need to create a IPSec site to site using IKEV2 , FG has a static IP but Cisco router has a dynamic IP.
IS this configuration achievable?
Regards;
Mohammed
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Yes, that would mean the cisco has to initiate the VPN connection.
The setting on the fortigate can not require a wan IP meaning the site to site VPN is open to all provided they have the LAN to LAN and the the pre share key, group rules
To maintain the VPN active,you have to have activity/ping from the Cisco side .......
Cisco
Peer ID fortigate wan
Cisco Local LAN
Fortigate Remote LAN
Fortigate
From any source
Fortigate local LAN
Cisco remote LAN
Then match the settings for encapsulating/encryption and group 1,2,3 768,1024,etc
Key lifetime, and refresher...
Set the parameters on one side, in your case the fortigate, then match it in the Cisco VPN setup...
Cisco has several examples of Cisco to fortigate as well as fortigate has examples of VPNs to Cisco.
The setting on the fortigate can not require a wan IP meaning the site to site VPN is open to all provided they have the LAN to LAN and the the pre share key, group rules
To maintain the VPN active,you have to have activity/ping from the Cisco side .......
Cisco
Peer ID fortigate wan
Cisco Local LAN
Fortigate Remote LAN
Fortigate
From any source
Fortigate local LAN
Cisco remote LAN
Then match the settings for encapsulating/encryption and group 1,2,3 768,1024,etc
Key lifetime, and refresher...
Set the parameters on one side, in your case the fortigate, then match it in the Cisco VPN setup...
Cisco has several examples of Cisco to fortigate as well as fortigate has examples of VPNs to Cisco.
As Arnold already wrote, the Cisco router will need to initiate the connection setting it up is typically pretty easy, depending on the OS version on the FortiGate the Wizard will make it even easier (though you may want or need to change to custom VPN once you ran through the Wizard). Cisco has a lot of manual steps of course, with configuring the phase 1/phase 2 parameters, crypto maps etc. ... typically the setup shouldn't take more than 15-30 minutes with anybody who knows both systems ...
Here are some links that could help:
http://cookbook.fortinet.com/ipsec-vpn-forticlient/ - Fortinet end
http://www.petenetlive.com/KB/Article/0000933 - one sample setup, for Cisco/Cisco VPN, but most settings are usable for your case
Here are some links that could help:
http://cookbook.fortinet.com/ipsec-vpn-forticlient/ - Fortinet end
http://www.petenetlive.com/KB/Article/0000933 - one sample setup, for Cisco/Cisco VPN, but most settings are usable for your case
instead of a IP pear ID try the so called DNS name (doesn't need to exist or email format, also not required to exist) but both should be the same on both sides. This makes it feasable to have multiple preshared keys for multiple roaming VPN's.
(Unless cisco cannot handle those ..., not sure about a possible setting there).
(Unless cisco cannot handle those ..., not sure about a possible setting there).
Premium Content
You need an Expert Office subscription to comment.Start Free Trial